From 2ce5acf7edda75ff8f652bcd348fd89b5537ef09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= Date: Mon, 20 Dec 2021 14:41:19 +0100 Subject: [PATCH] MINOR: quic: Wrong packet refcount handling in qc_pkt_insert() The QUIC connection I/O handler qc_conn_io_cb() could be called just after qc_pkt_insert() have inserted a packet in a its tree, and before qc_pkt_insert() have incremented the reference counter to this packet. As qc_conn_io_cb() decrement this counter, the packet could be released before qc_pkt_insert() might increment the counter, leading to possible crashes when trying to do so. So, let's make qc_pkt_insert() increment this counter before inserting the packet it is tree. No need to lock anything for that. --- src/xprt_quic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/xprt_quic.c b/src/xprt_quic.c index bc4b07485..efebc57f2 100644 --- a/src/xprt_quic.c +++ b/src/xprt_quic.c @@ -3610,10 +3610,10 @@ static int qc_pkt_may_rm_hp(struct quic_rx_packet *pkt, static void qc_pkt_insert(struct quic_rx_packet *pkt, struct quic_enc_level *qel) { pkt->pn_node.key = pkt->pn; + quic_rx_packet_refinc(pkt); HA_RWLOCK_WRLOCK(QUIC_LOCK, &qel->rx.pkts_rwlock); eb64_insert(&qel->rx.pkts, &pkt->pn_node); HA_RWLOCK_WRUNLOCK(QUIC_LOCK, &qel->rx.pkts_rwlock); - quic_rx_packet_refinc(pkt); } /* Try to remove the header protection of QUIC packet attached to